|6.0 < 6.6
Several vulnerabilities have been discovered in the Expat XML parser library (aka libexpat).
This open-source component is widely used in a lot of products worldwide.
A remote, anonymous attacker could use an integer overflow to execute arbitrary program code when loading specially crafted XML files.
Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack might be compromised by attacks exploit these vulnerabilities. If specially crafted Profinet network configuration files (IPPNIO or TIC) are loaded during the Profinet startup an integer overflow leads to a buffer overflow which enables the attacker to elevate privileges and obtain access to the device. The attacker may take over the system, steal data or prevent a system or application to run correctly.
The PROFINET Device Stack provides an optional configuration possibility via the above-mentioned files and might be vulnerable when this dedicated use case is supported.
The PROFINET SDK includes an Engineering tool as reference solution to generate Profinet configuration IPPNIO or TIC XML files. This configuration is transferred to a device running the Profinet stack and loaded during startup of the Profinet stack.
When the IPPNIO or TIC files are transferred via an untrusted environment (e.g.: Network or e-Mail, …) an attacker knowing these vulnerabilities mentioned above might manipulate the files in a specific way to gain access to the device.
To mitigate these vulnerabilities the integrity and authenticity of the configuration data it must be ensured by transferring the data only via trusted connections.
Advice's how to ensure trusted connections can be found in the following document:
Measures to protect network-capable devices with Ethernet connection.
Companies which are using their own configuration system instead of the reference solution are not affected as long they don’t utilize the related libexpat library.
We kindly advise you to check if in your specific configuration tool chain, the libexpat library is used or version number is 2.4.6. or higher.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.